2. The report doesn't clearly state this but the thesis seems to imply that the STDID file based import is what is being exploited. I wanted to understand if the CT-KIP based distribution would also have the same impact?

Just took a read at both articles, and, from my understanding, the issue described resides in the fact the the attacker edited the Software Token source code to be able to import the SecurID Token Seed without getting the error message "Device intended for this token was not found...".

What does that mean ? The attacker already had the SecurID Token Seed file in its possessionWhat about CT-KIP Software Token delivery ? The CT-KIP distribution can be configured on the number of valid days before the Activation Code expires I think it could be great that RSA developers add an option that would be the number of times you can use that Activation Code, so we could set it to just "1" >> For the CT-KIP Software Token delivery, you should ONLY allow this being done from within your corporate networks, so that could avoid bypassing this when trying to connect from outside your corporate networks